Duplicates

Duplicate findings

There is nothing more frustrating for a vulnerability researcher to find that their bug is a duplicate of a previously found bug. We know that! Sometimes, what you spent hours, days, or weeks investigating is lost simply because someone else found it and reported it a couple days, hours, minutes or (it happened once!) seconds before you.

We understand the feeling, and we work as hard as possible with the engineering and product teams to fix the vulnerabilities as quickly as possible (which reduces the likelihood of finding a duplicate), but unfortunately, it's bound to happen. We've seen it happening for all types of bugs, from "obvious" low-hanging vulnerabilities up to really complex chains of bugs.

Our recommendations are first of all to sign up for our vulnerability research grants program, which issues rewards even in the case when no vulnerabilities are found. In addition to that, in order to prevent your issue to be a duplicate please let us know as early as possible of all of the bugs you find, even if they are not yet exploitable (which you can later on amend to get a full Bug Chain Bonus). If you decide to go after a "popular" target (eg, acquisitions just after the 6 month mark, or a recently launched product), take into consideration that it's possible someone reported the bug just before you.